In this article we are going to see the keytool commands. You need to kow basic encryption(public-private) key concept to understand fully.

What is keytool?

keytool is a key and certificate management utility that manages a keystore of cryptographic keys , X.509 certificate chain, trusted certificates.

  • Users can use their public/private key-pairs and associated certificates for authentication/data integrity or digital signatures.
  • It allows to cache the public keys of communication pairs(as certificate).
  • It stores the keys and certificate in a keystore.

Syntax

keytool [commands]
  • A certificate is a digitally signed statement from any one saying that the public key(added with some info) of some one with value.
  • All commands /options are started with (-) sign
  • Options for each command should be provided in order
  • Rules of Braces {}
    • Braces are used with an option to define that as Default(if not specified)
    • Braces are used with -v, -rfc, -J
  • Brackets() , are used with an option to define that , it will prompt to user for value if not specified.
  • Items written in italic with option defined as “Must be supplied” item.
  • Blank value congaing Options must be coated.

Common Options :

  • v : Signifies “verbose” mode
  • J(option) : Pass option string is passed through directly to the Java interpreter.
  • storetype (storetype) : To specify type of keystore to be instantiated.
  • keystore (keystore) : The keystore location.(if not exist, create new file)
  • storepass (storepass) : The password to protect the integrity of the keystore.(Min 6 char). By Default , it will be prompt and warning on not providing.
  • providerName (provider_name) : Used to identify a cryptographic service provider’s name when listed in the security properties file.
  • providerClass (provider_class_name) : Used to specify the name of cryptographic service provider’s master class file when the service provider is not listed in the security properties file.
  • providerArg (provider_arg) : Used in conjunction with -providerClass to set a string input argument for the constructor of provider_class_name(optional)
  • protected (true/false). True = Password must be given via a protected authentication path (such as a dedicated PIN reader)

Note: -keystore option is passed to the KeyStore.load method. If NONE is specified as the URL, then a null stream is passed to the KeyStore.load method. NONE should be specified if the KeyStore is not file-based.

Generate Certificate Key Pair

-genkeypair {-alias myAlias} {-keyalg myKeyalg} {-keysize myKeysize} {-sigalg mySigalg} [-dname myDname] [-keypass myPass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
  • Generates a key pair (Combination of a public key and private key).
  • Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain.
  • alias defines a new keystore which contains this certificate chain and the private key
  • keyalg specifies the algorithm to generate the key pair
  • keysize specifies the size of each key
  • sigalg specifies the algorithm for self-signed certificate(this algorithm must be compatible with keyalg selected algorithm)
  • dname specifies the associated X.500 Distinguished Name with alias. It is the issuer and subject fields in the self-signed certificate. As it is in brackets, so when no distinguished name , the user will be prompted for input.
  • keypass defines the password used to protect the private key. As it is in brackets ,so if no password user will be prompted for it.
  • validity Defines the certificate validation period in days.
  • genkey and genkeypair are same.

Generate a secret key

-genseckey {-alias myAlias} {-keyalg myKeyalg} {-keysize myKeysize} [-keypass myPass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
  • Generates a secret key and stores it in a new KeyStore. SecretKeyEntry identified by alias.

Import a Certificate

    -importcert {-alias myAlias} {-file cert_file} (-keypass myPass) {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} (-storepass storepass) {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J(option)}
  • Reads the certificate/certificate chain (PKCS#7 formatted reply) from cert_file, and stores it in the keystore entry identified by alias.
  • alias option value will define which type of import.

keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.

Why importing certificates?

  • To add it to the list of trusted certificates
  • To import a certificate reply received from a CA as the result of submitting a Certificate Signing Request to that CA.
  • If the myAlias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the myAlias should not exist in the keystore. If the myAlias exists, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate.
  • If the myAlias points to a key entry, keytool assumes you are importing a certificate reply.

How importing new Trusted Certificate works?

Before adding the certificate to the keystore, keytool tries to verify it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore. -trustcacerts option specifies the certificates to be considered for chain of trust(certificates in a file named “cacerts”). If keytool fails to establish a trust path from the certificate to be imported up to a self-signed certificate (keystore/”cacerts” file), the certificate is printed to user prompted to verify it. -noprompt option sets no interaction with the user.

How Certificate Reply works?

When importing a certificate reply, it’s validated using trusted certificates from the keystore. If the -trustcacerts option specified, validation will be done from cacerts keystore file.

determining trusted certificate reply :

  • If the reply is a single X.509 certificate, keytool attempts to establish a trust chain, starting at the certificate reply and ending at a self-signed certificate (belonging to a root CA). The certificate reply and the hierarchy of certificates used to authenticate the certificate reply form the new certificate chain of alias. If no trust chain , the certificate reply is not imported and keytool does not print certificate but prompts user to verify.
  • If the reply is a PKCS#7 certificate , it is first ordered (First User certificate, Last self-signed root CA certificate ), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or (if the -trustcacerts option was specified), the “cacerts” keystore file . If no match found, the root CA certificate info is printed to user prompted to verify. -noprompt option sets no interaction with the user.
  • If the public key in the certificate reply matches the user’s public key already stored with under alias, the old certificate chain is replaced with the new certificate chain in the reply(with valid private keypass, if no password / different from the keystore password, the user is prompted for it).
  • importcert and import are same.

Import entry/entries

-importkeystore -srckeystore srckeystore -destkeystore destkeystore {-srcstoretype srcstoretype} {-deststoretype deststoretype} [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcprotected} {-destprotected} {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass] [-destkeypass destkeypass] } {-noprompt} {-srcProviderName src_provider_name} {-destProviderName dest_provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
  • srcalias Imports the single entry identified by the alias to the destination keystore.
  • If no destalias, the srcalias is used as destination alias.
  • If the source entry is protected by a password, srckeypass will be used to recover the entry.
  • If srckeypass is not provided, then keytool will attempt to use srcstorepass to recover the entry.
  • If srcstorepass not provided/wrong the user will be prompted for the password.
  • destkeypass protects the destination entry
  • If destkeypass is not provided, the destination entry will be protected with the source entry password(srcstorepass)
  • If no srcalias, all entries in the source keystore are imported into the destination keystore.
  • If the source entry is protected by a password, srcstorepass will be used to recover the entry.
  • If srcstorepass is not provided/wrong, user will be prompted for a password.
  • If a source keystore entry type is not supported /error on storing an entry into the destination keystore, user will be prompted to skip or quit.
  • If the destination alias already exists in the destination keystore, the user is prompted to either overwrite the entry, or to create a new entry under a different alias name.
  • If -noprompt is provided, user will not be prompted and existing entries will be overwritten with the destination alias name for new.

Certificate Signing Request (CSR):

-certreq {-alias alias} {-sigalg sigalg} {-file certreq_file} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
  • Generates a Certificate Signing Request (CSR), using the PKCS#10 format to a certificate authority (CA). The private key and X.500 Distinguished Name with alias are used to create the PKCS#10 certificate request.
  • To access the private key, correct password must be provided(if needed, but if not provided user will be prompted for it.)
  • sigalg specifies the algorithm to sign the CSR.
  • The CSR is stored in the file certreq_file.
  • If no file is given, the CSR is output to stdout.
  • importcert : Imports the response from the CA.

Export certificate

    -exportcert {-alias alias} {-file cert_file} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-rfc} {-v} {-protected} {-J[option]}
  • Reads (from keystore) certificate associated with alias, and stores it in cert_file.
  • If no file , the certificate is output to stdout.
  • if the -rfc option is specified, the certificate will be printable in Internet RFC 1421 standard(not in default binary format).
  • If alias refers to a trusted certificate, that certificate is output.
  • If not , alias refers to a key entry with an associated certificate chain(first certificate in the chain will be returned). This certificate authenticates the public key of the entity addressed by alias.
  • export and exportcert are same as function

Show keystore entry :

-list {-alias alias} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v | -rfc} {-protected} {-J[option]}
  • Prints the contents of the keystore entry identified by alias to stdout.
  • If no alias , the contents of the entire keystore are printed.
  • This command by default prints the MD5 fingerprint of a certificate.
  • If the -v option is specified, the certificate is printed in human-readable format, with more info (owner, issuer, serial number, and any extensions)
  • If the -rfc option is specified, certificate contents are printed with Internet RFC 1421 standard encoding.

Print keystore entry :

-printcert {-file cert_file} {-v} {-J[option]}
  • Reads the certificate from cert_file, and prints its contents in a human-readable format.
  • If no file is given, the certificate is read from stdin.

Save from Keystore :

    -storepasswd (-new new_storepass) {-storetype storetype} {-keystore keystore} (-storepass storepass) {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-J(option)}
  • Changes the password of the keystore contents.
  • The new password is new_storepass, which must be at least 6 characters long.

Change/Edit from Keystore

    -keypasswd {-alias alias} (-keypass old_keypass) (-new new_keypass) {-storetype storetype} {-keystore keystore} (-storepass storepass) {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-J(option)}
  • Changes the password under which the private/secret key identified by alias is protected, from old_keypass to new_keypass.
  • If the -keypass is not provided /incorrect (from keystore password), user is prompted for it.
  • If the -new is not provided, user is prompted for it.

Delete from Keystore

-delete (-alias alias) {-storetype storetype} {-keystore keystore} (-storepass storepass) {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J(option)}
  • Deletes the entry from the keystore (defined by alias).
  • The user is prompted if no alias is provided.

Copy from Keystore

-changealias {-alias alias} (-destalias destalias) (-keypass keypass) {-storetype storetype} {-keystore keystore} (-storepass storepass) {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J(option)}
  • Move an existing keystore entry from the specified alias to a new alias, destalias.
  • If no destination alias is provided, the command will prompt for one.
  • If the original entry has an entry password, it should be supplied by -keypass.
  • If no key password , the storepass (if given) will be used first and if fail , user will be prompted for a password.

From CLI

Key and Certificate Management Tool

Commands:

 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore